From: Juergen Borleis <jbe@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: [ptxdist] [PATCH] iptables: serialize startup service units
Date: Wed, 22 Jan 2020 12:21:28 +0100 [thread overview]
Message-ID: <20200122112128.2765-1-jbe@pengutronix.de> (raw)
Since iptables-1.8.x the tool complains at run-time if a second instance
holds the shared lock:
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
If IPv4 and IPv6 is enabled, this concurrent situation can happen and at
the end one of both setups isn't done (first instance wins).
By serializing both service units this concurrent situation cannot occur
and both setups are done as expected.
Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
---
projectroot/usr/lib/systemd/system/ip6tables.service | 2 ++
projectroot/usr/lib/systemd/system/iptables.service | 2 ++
2 files changed, 4 insertions(+)
diff --git a/projectroot/usr/lib/systemd/system/ip6tables.service b/projectroot/usr/lib/systemd/system/ip6tables.service
index e842cc197..7cf9ab88b 100644
--- a/projectroot/usr/lib/systemd/system/ip6tables.service
+++ b/projectroot/usr/lib/systemd/system/ip6tables.service
@@ -3,6 +3,8 @@ Description=Packet Filtering Framework
DefaultDependencies=no
After=systemd-sysctl.service
Before=sysinit.target
+# ensure, we are running after IPv4
+After=iptables.service
ConditionFileNotEmpty=/etc/iptables/rules.v6
[Service]
Type=oneshot
diff --git a/projectroot/usr/lib/systemd/system/iptables.service b/projectroot/usr/lib/systemd/system/iptables.service
index fa4a8b367..29999628e 100644
--- a/projectroot/usr/lib/systemd/system/iptables.service
+++ b/projectroot/usr/lib/systemd/system/iptables.service
@@ -3,6 +3,8 @@ Description=Packet Filtering Framework
DefaultDependencies=no
After=systemd-sysctl.service
Before=sysinit.target
+# ensure, we are running before IPv6
+Before=ip6tables.service
ConditionFileNotEmpty=/etc/iptables/rules.v4
[Service]
Type=oneshot
--
2.20.1
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
reply other threads:[~2020-01-22 11:21 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200122112128.2765-1-jbe@pengutronix.de \
--to=jbe@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox